Forward  deployed  Ticonderoga-dass  guided-missile  cruiser 
USS  Cowpens  launches  Harpoon  missile  from  aft  missile 
deck  as  part  of  live-fire  exercise  in  Valiant  Shield  2012 
(U.S.  Navy/Paul  Kelly) 
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s  a  concept,  deterrence  has 
been  part  of  the  military  ver¬ 
nacular  since  antiquity.  In  his 
History  of  the  Peloponnesian  Whr, 
Thucydides  quotes  Hermocrates  as 
stating,  “Nobody  is  driven  into  war 
by  ignorance,  and  no  one  who  thinks 
that  he  will  gain  anything  from  it  is 


deterred  by  fear.”^  In  the  2,400  years 
since  then,  the  domains  for  the  conduct 
of  military  affairs  have  expanded  from 
the  original  land  and  maritime  domains 
to  air,  space,  and  now  cyberspace.  As 
warfighting  expanded  its  scope,  stra¬ 
tegic  theory  did  as  well.  Today,  U.S. 
doctrine  declares  that  the  fundamental 
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Figure  1.  Cyberspace  Components 


purpose  of  the  military  is  to  deter 
or  wage  war  in  support  of  national 
policy.^  Therefore,  military  strategists 
and  planners  have  a  responsibility  to 
assess  how  adversaries  may  be  deterred 
in  any  warfighting  domain.  Through 
the  joint  planning  process,  planners, 
working  through  the  interagency 
process,  consider  deterrent  options  for 
every  instrument  of  national  power — 
diplomatic,  informational,  military,  and 
economic — across  all  phases  of  military 
operations.^  However,  most  of  the 
thought  and  analysis  in  deterrence  has 
revolved  around  the  use  of  conventional 
and  nuclear  weapons. 

In  May  2009,  President  Barack 
Obama  acknowledged  the  United  States 
considers  its  digital  infrastructure  a 
strategic  national  asset  and  declared  that 
protecting  it  would  be  a  national  security 
priority.^  Besides  working  to  ensure  in¬ 
formation  and  communication  networks 
are  secure,  this  protection  would  also  take 
the  form  of  deterring,  preventing,  detect¬ 
ing,  and  defending  against  cyber  attacks. 
As  a  result,  American  national  and  mili¬ 
tary  policy  has  incorporated  cyberspace 
deterrence  as  a  necessary  objective  and 
has  identified  a  need  to  use  cyber  capa¬ 
bilities  to  deter  adversaries  in  or  through 
cyberspace.  But  is  this  an  achievable  ob¬ 
jective  and,  if  so,  to  what  extent? 

By  providing  an  understanding  of 
the  cyberspace  domain  and  deterrence 
theory,  as  well  as  reviewing  existing 
policy,  this  article  shows  that  although 
deterrence  is  a  viable  component  of 
strategic  thought  for  conventional  and 


nuclear  military  operations,  deterrence 
in  cyberspace  is  limited  due  to  restric¬ 
tions  imposed  by  a  lack  of  attribution, 
signaling,  and  credibility.  As  a  result,  the 
U.S.  Government  should  strengthen  its 
cyberspace  defenses,  pursue  partnerships, 
and  advance  policy  and  legislative  solu¬ 
tions,  while  undertaking  further  research 
to  overcome  the  limits  inherent  in  cyber¬ 
space  deterrence  today. 

Understanding  Cyberspace 

Cyberspace  is  a  domain  created  through 
the  interaction  of  three  different  com¬ 
ponents:  the  hardware,  the  virtual,  and 
the  cognitive  (see  figure  1).  The  physi¬ 
cal  reality  of  cyberspace  is  comprised  of 
the  interdependent  network  of  informa¬ 
tion  technology  infrastructures.'’  This 
includes  all  the  hardware  of  telecom¬ 
munication  and  computer  systems,  from 
the  routers,  fiber  optic  and  transatlantic 
cables,  cell  phone  towers,  and  satellites, 
to  the  computers,  smartphones,  and, 
ultimately,  any  device  that  contains 
embedded  processors  such  as  electric 
power  grids  and  the  F-22  Raptor.  Some 
of  these  systems  might  be  connected 
to  local  networks  or  the  Internet  some 
or  all  of  the  time.  Others  might  never 
be  physically  connected  but  can  receive 
data  input  through  connected  devices 
or  external  media.  Cyberspace  also  has  a 
virtual  component  that  encompasses  the 
software,  firmware,  and  data — the  infor¬ 
mation — resident  on  the  hardware.  This 
includes  the  operating  systems,  applica¬ 
tions,  and  data  stored  on  the  hard  drive 
or  memory  of  a  computing  system. 

This  hardware  and  software  are  ex¬ 
tremely  complex,  fast,  and  cheap.  In  the 
past  40  years,  the  number  of  transistors 
on  a  microprocessor  has  increased  from 
2,300  to  over  2.5  billion.  Storage  devices 
are  200,000  times  the  size  of  the  first 
computer  hard  drive.  Aircraft  flown  by 
the  U.S.  Air  Force  have  evolved  from  the 
F-4  Phantom,  with  8  percent  of  its  func¬ 
tions  performed  by  software,  to  the  F-22 
Raptor,  which  is  80  percent  dependent 
on  computer  technology.^  Cyberspace  has 
become  a  global,  pervasive  environment 
with  everyone  from  users  to  corporations 
to  governments  becoming  more  depen¬ 
dent  on  comiectivity  and  access — and  this 


access  is  extremely  fast.  One  computer  can 
connect  to  another  on  the  other  side  of 
the  world  in  milliseconds.  Furthermore, 
the  cost  of  entry  into  cyberspace  has  be¬ 
come  negligible.  Originally,  only  research 
institutions  and  governments  could  afford 
it,  but  now  anyone  can  purchase  a  smart¬ 
phone  or  a  laptop  computer  and  have 
access  to  the  environment,  the  billions 
of  users,  and  the  millions  of  terabytes  of 
information  resident  in  it. 

The  human,  or  cognitive,  aspect  is 
the  final  element  of  cyberspace.  Whereas 
other  domains  are  solely  part  of  the  phys¬ 
ical  environment,  cyberspace,  as  the  only 
man-made  domain,  is  shaped  and  used  by 
humans.  Cognitive  personas  interact  with 
the  virtual  environment  and  each  other. 

In  cyberspace,  this  human  persona  can  be 
reflective,  multiplicative,  or  anonymous. 
To  access  certain  networks,  for  example, 
researchers  have  developed  identity 
management  tools  to  ensure  the  identity 
is  an  accurate  reflection  of  the  person. 
However,  the  same  user  can  have  a  dif¬ 
ferent  persona,  or  many  cyber  personas, 
in  other  systems — for  example,  multiple 
email  accounts.  This  leads  to  an  element 
of  anonymity  whereby  one  cannot  always 
positively  identify  the  user  of  a  system.  It 
is  difficult  to  prove  that  a  person  using  an 
account  is  the  person  he  or  she  claims  to 
be.  Cognitive  users  of  the  cyberspace  en¬ 
vironment  can  be  nation-state  or  nonstate 
actors  (such  as  users,  hackers,  criminals, 
or  terrorists). 

When  the  architecture  of  cyberspace 
was  originally  developed,  its  creators  en¬ 
visioned  neither  the  proliferation  nor  the 
advanced  technologies  that  would  evolve. 
If  he  had  a  chance  to  do  it  again,  Vint 
Cerf,  one  of  the  “fathers”  of  the  Internet, 
has  stated,  “I  would  have  put  a  much 
stronger  focus  on  authenticity  or  au¬ 
thentication — ^where  did  this  email  come 
from,  what  device  I  am  talking  to.”®  The 
limitations  of  cyberspace  make  it  difficult 
to  protect  and  defend  it.  Although  the 
physical  elements  may  reside  within  sov¬ 
ereign  territorial  boundaries,  the  virtual 
spaces  do  not.  Pakistan  has  cyber  assets 
in  the  United  States;  India  has  some 
of  its  assets  in  Norway.^  This  limits  the 
idea  of  a  possible  “Monroe  Doctrine”'” 
in  cyberspace,  especially  when  private 
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Figure  2.  Edward  Luttwak's  Armed  Suasion  Typology 
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and  foreign  entities  own  so  much  of  the 
infrastructure,  data,  and  virtual  compo¬ 
nents.  In  many  ways,  the  capabilities  and 
uses  inherent  in  cyberspace  are  limitless, 
restricted  only  by  existing  hardware  and 
software  restraints.  To  address  success¬ 
fully  whether  the  concept  of  cyberspace 
deterrence  is  feasible,  however,  requires  a 
framework  for  deterrence  theory  itself 

Understanding  Deterrence 

Deterrence,  according  to  joint  doctrine, 
is  the  prevention  of  action  by  either  the 
existence  of  a  credible  threat  of  unac¬ 
ceptable  counteraction  or  the  belief 
that  the  cost  of  action  outweighs  the 
perceived  benefits.^'  In  other  words, 
deterrence  is  successful  when  an  actor 
is  convinced  that  restraint  from  taking 
an  action  is  an  acceptable  outcome.'^ 

It  is  a  state  of  mind  in  the  adversary. 
Although  the  U.S.  military  can  take 
actions  with  intent  to  deter,  it  is  the 
adversary  who  determines  whether 
the  actions  are  successful.  Deterrent 
options  can  be  either  latent  (passive)  or 
active.  Latent  deterrence  is  a  defensive 
measure  also  referred  to  as  deterrence 
by  denial.  Active  deterrence  is  achieved 
through  the  threat  of  retaliation — or 
rather,  deterrence  by  punishment. 
Edward  Luttwak  in  The  Political  Uses 
of  Sea  Power  proposed  a  typology  for 
the  political  application  of  naval  power 
that  addressed  the  breadth  of  military 
purpose  from  deterring  to  waging  war. 
This  typology  is  applicable  to  the  cyber¬ 
space  domain  and  succinctly  depicts 
both  of  these  deterrent  options  (see 
figure  2).'®  The  first  of  these  options 
is  latent  deterrence  where  there  is  no 
directed  effort  by  an  actor  to  deter 
another.  In  cyberspace,  if  a  hacker 
wanted  to  break  into  a  wireless  network 
but  the  administrator  had  changed  the 
default  password,  the  hacker  might  be 
initially  deterred.  However,  the  admin¬ 
istrator  was  not  actively  deterring  the 
hacker.  Instead,  he  or  she  had  taken 
basic  cybersecurity  actions  to  protect, 
or  defend,  the  network.  As  a  result, 
the  security  and  resiliency  of  computer 
systems  provide  a  possible  deterrent  to 
actors  in  cyberspace.  The  second  deter¬ 
rent  option  is  active  deterrence.  In  this 


case,  the  deliberate  exercise  of  military 
influence  evokes  deterrent  effects.  For 
example,  if  the  United  States  issued 
warnings  or  threats  to  an  adversary,  this 
would  be  an  active  deterrence  act. 

Successful  active  deterrence,  however, 
requires  attribution,  signaling,  and  cred¬ 
ibility.'*^  A  target  for  deterrence  must 
be  identifiable  (or  attributable).  For 
example,  in  the  nuclear  arena,  the  United 
States  has  matured  its  capability  in  foren¬ 
sics  to  determine  the  origin  of  nuclear 
material  regardless  of  the  source.'^  It 
can  attribute  the  material  to  a  particular 
nation  or  actor,  which  thus  becomes 
the  target  to  which  deterrent  actions  are 
tailored.  Sipinaling  is  the  effort  to  com¬ 
municate  the  message  to  the  intended 
audience.  Credibility  maintain¬ 

ing  a  level  of  beUevability  that  proposed 
actions  might  be  used.  If  the  United 
States  claims  that  a  response  would  be 
full  spectrum,  the  target  needs  to  believe 
it.  This  also  requires  a  demonstration  of 
capability.  To  deter  a  target  actively,  one 
has  to  have  the  means  to  threaten  the  tar¬ 
get  into  inaction.  In  a  nuclear  scenario,  all 
nations  are  aware  of  the  American  ability 
to  attribute  a  nuclear  attack  to  its  source, 
U.S.  retaliatory  policy,  and  its  demon¬ 
strated  nuclear  abilities.  The  United 
States  has  the  clear  capability  and  cred¬ 
ibility  to  follow  through  with  this  threat 
and  has  provided  signaling  to  any  who 
would  challenge  it.  However,  nuclear 
deterrence  strategy  does  not  translate 
well  to  other  domains.  To  address  some 


of  these  concerns  in  today’s  asymmetric 
environments,  Washington  revised  its 
deterrent  options  to  a  tailored  deterrence 
concept  focused  on  specific  state  or  non¬ 
state  actors.'®  Nevertheless,  cyberspace 
policy  and  doctrine  have  not  evolved  as 
smoothly. 

Cyberspace  and  Deterrence 
in  Policy  and  Doctrine 

In  2009,  Lieutenant  General  Robert 
Schmidle,  Jr.,  USMC,  then  the  first 
deputy  commander  for  U.S.  Cyber 
Command,  summarized  the  state  of  stra¬ 
tegic  thinking  for  the  newest  warfighting 
domain:  “There  is  a  real  dearth  of  doc¬ 
trine  and  policy  in  the  world  of  cyber¬ 
space.”"*  At  that  time,  cyberspace  stra¬ 
tegic  thought  was  limited  in  scope  and, 
in  some  cases,  classified.  More  than  10 
years  earlier.  President  Bill  Clinton  had 
identified  the  importance  of  and  vulner¬ 
ability  present  in  American  systems  when 
he  issued  an  executive  order  in  1996  on 
critical  infrastructure  protection.^"  In  the 
ensuing  decade,  however,  terms  such  as 
computers,  cyberspace,  or  networks  barely 
received  mention  in  American  national 
strategic  policy.  For  example,  the  2005 
National  Defense  Strategy  touched  on 
cyber  assurance  support.  In  addition, 
the  2006  Quadrennial  Defense  Review 
declared  the  Department  of  Defense 
(DOD)  would  “maintain  a  deterrent 
posture  to  persuade  potential  aggressors 
that  objectives  including  cyberspace 
would  be  denied  and  could  result  in 
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Table  1.  Deterrence  and  Cyberspace  in  Policy 


Policy 

Summary 

2010  National  Security 
Strategy 

Prevent/deter  state  and  nonstate  actors: 

■  identify  and  interdict  threats 

■  deny  hostile  actors'  ability  to  operate  within  borders 

■  protect  critical  infrastructure  and  key  resources 

■  secure  cyberspace  (invest  in  people/technology  and  strengthen  partnerships). 

Recognizes  some  threats  cannot  be  deterred. 

2011  National  Military 
Strategy 

Military  role  is  to  deter  and  defeat  aggression. 

Enhance  deterrence  by  having  capability  to  fight  through  degraded  environment  and  improving  ability  to  attribute  and  defeat 
attacks  on  systems  and  infrastructure. 

Military  must  provide  broad  range  of  options  to  ensure  access  and  use  of  cyberspace  and  hold  malicious  actors  accountable. 
Need  for  resilient  cyberspace  architecture  employing  detection,  deterrence,  denial,  and  multilayered  defense. 

2011  International 
Strategy  for  Cyberspace 

Dissuade  and  deter  with  overlapping  policies  that  combine  network  resilience  with  vigilance  and  credible  response  options. 

The  United  States  will  respond  to  hostile  acts  in  cyberspace  as  to  any  other  threat  to  the  country  through  the  use  of  any 
available  means. 

2011  DOD  Strategy  for 
Operating  in  Cyberspace 

Support  2011  International  Strategy  for  Cyberspace. 

Deter/mitigate  insider  threats  through  workforce  accountability  and  internal  monitoring. 

Enables  collective  self-defense  and  deterrence  through  development  of  international  shared  situational  awareness  and 
warning  capabilities. 

Table  2.  Deterrence  and  Cyberspace  in  Joint  Doctrine 


Joint  Publication 

Deterrence  and  Cyberspace  Summary 

3-0,  Joint  Operations 

Role  of  deterrence  in  general:  "Deterring  adversaries  is  a  [U.S.]  goal." 

Role  of  deterrence  in  joint  operational  planning  process 

Cyberspace  only  mentioned  in  inclusion  of  U.S.  Cyber  Command  and  its  mission. 

3-12,  Cyberspace 
Operations 

Does  not  mention  deterrence  specifically  or  directly. 

Cyberspace  defensive  actions  include  protect,  detect,  characterize,  counter,  and  mitigate  to  secure,  operate,  and  defend  network. 
Cyberspace  attack  actions  are  deny,  degrade,  disrupt,  destroy,  and  manipulate  to  create  direct  denial. 

Cyberspace  capabilities  are  integrated  at  all  levels  and  in  all  military  operations. 

Cyberspace  operations  are  conducted  across  the  range  of  military  operations. 

3-13,  information 
Operations 

Effective  employment  of  information-related  capabilities  (including  cyberspace  operations)  during  shape  and  deter  phases  of 
an  operation  or  campaign  can  have  significant  impact. 

Cyberspace  capabilities  deny  or  manipulate  decisionmaking. 

3-14,  Space  Operations 

Space  deterrence  is  accomplished  by: 

■  promoting/demonstrating  responsible  behavior  in  space 

■  pursuing  partnerships  that  encourage  restraint 

■  contributing  to  quick  attribution  for  attacks 

■  protecting  space  capabilities  and  infrastructure 

■  implementing  appropriate  responses  should  deterrence  fail. 

3-27,  Homeland  Defense 

Offensive  capabilities  with  defensive  may  deter  adversary  from  threatening  or  attacking  the  homeland. 

Environment  presents  unique  challenges  for  Joint  force  commander  (JFC)  in  selection  and  engagement  of  targets  in  cyberspace. 
Because  specific  attribution  and  geographic  location  are  often  difficult  to  determine,  JFC  must  abide  by  rules  of  engagement. 

5-0,  Joint  Operation 
Planning 

Includes  examples  of  deterrent  options  for  each  instrument  of  national  power. 

Informational  flexible  deterrent  options  include  protecting  friendly  communications  systems  and  intelligence  assets  through 
computer  network  defense,  operations  security,  and  information  assurance. 

Deterrence  Operations 
Joint  Operating  Concept 

Published  in  2006,  but  not  a  standard  Joint  publication.  It  was  scheduled  for  an  update  in  2008. 

Identified  that  network  defense  capabilities  could  play  important  role  in  deterrence  operations. 

overwhelming  response,”^'  but  did  not 
build  upon  this,  and  neither  did  military 
doctrine.  Although  President  George  W. 
Bush  did  not  address  cyberspace  in  the 
2002  National  Security  Strategy  (NSS), 
he  did  mention  deterrence.  First,  there 
is  a  preeminent  focus  on  weapons  of 
mass  destruction  and  the  importance  to 
deter  their  use  whenever  possible.  The 
2002  NSS  highlights  the  military’s  role 
in  deterring  these  threats  against  U.S. 


interests  and  theorizes  that  traditional 
concepts  of  deterrence  will  not  work 
against  terrorists.^^  Furthermore,  the 
2002  NSS  identified  a  requirement  to 
detect  and  deter  international  industrial 
espionage  but  did  not  present  this  task 
as  a  military  role.  Instead,  this  is  covered 
under  the  task  of  enforcing  trade  agree¬ 
ments  and  laws  against  unfair  practices. 

Since  President  Obama’s  statement 
in  2009  emphasizing  the  importance  of 


cyberspace  to  national  security,  policy 
and  doctrine  for  the  cyberspace  domain 
and  cyberspace  deterrence  have  advanced 
significantly.  Although  not  consistent 
with  each  other,  the  2010  NSS,  the 
2011  National  Military  Strategy,  and 
other  policy  documents  have  begun  to 
address  cyberspace  and  define  objectives 
for  cyberspace  deterrence  (see  table  1). 
Joint  doctrine  also  varies  in  its  maturity 
and  consistency  in  referring  to  deterrence 
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or  the  cyberspace  domain  (see  table  2). 
For  example,  Joint  Publication  (JP)  3-14, 
Space  Operations,  includes  ways  through 
which  space  deterrence  is  accomplished. 
Although  some  of  these  would  be  ap¬ 
plicable  to  the  cyberspace  domain,  JP 
3-12,  Cyberspace  Operations,  does  not 
address  deterrence  at  all.  Moreover,  cy¬ 
berspace  doctrine  for  the  military  Services 
is  not  consistent  with  joint  doctrine.  It  is 
continuing  to  mature  through  military 
exercises  and  the  evolution  of  the  U.S. 
Cyber  Command  force  development 
construct.  For  instance,  the  relevant  doc¬ 
trine  for  the  Air  Force  was  last  updated  in 
2011 — 2  years  before  the  publication  of 
the  joint  doctrine — and  does  not  address 
deterrence  in  a  useful  capacity.^^ 

Based  on  this  existing  policy  and 
doctrine  and  additional  scholarly  efforts, 
proposed  cyberspace  deterrent  options 
include: 

■  develop  policy  and  legal  procedures 

■  develop  other  credible  response 
options 

■  pursue  partnerships 

■  secure  cyberspace 

■  enhance  resiliency 

■  strengthen  defense 

■  conduct  cyberspace  deception. 

Each  of  these  deserves  a  brief  expla¬ 
nation.  Developing  policy  serves  as  a 
signaling  component  of  deterrence  and 
provides  credibility  when  supported  by 
demonstrated  action.  Closely  integrated 
with  policy  is  enhancing  legal  procedures 
to  apprehend  and  prosecute  criminals  and 
nonstate  actors.  Other  credible  response 
options  include  demonstrating  capabili¬ 
ties  to  identify  and  interdict  threats,  to 
conduct  offensive  actions  in  cyberspace, 
and  to  implement  appropriate  responses 
should  deterrence  fail.  The  notion  of 
pursuing  partnerships  drives  an  environ¬ 
ment  where  multiple  states  and  nonstate 
actors  can  work  together  for  the  improve¬ 
ment  of  all  those  involved.  This  can  be 
accomplished  through  strengthening  in¬ 
ternational  norms  for  cyberspace,  but  can 
also  further  a  framework  for  constructive 
deterrence. In  this  situation,  adversaries 
are  co-opted  into  a  relationship,  prevent¬ 
ing  them  from  taking  the  action  one  is 
working  to  deter.  Securing  cyberspace 


involves  investing  in  digital  literacy,  devel¬ 
oping  secure  teclmologies,  and  mitigating 
the  insider  tlireat.  Enhancing  resilience 
is  a  latent  deterrent  that  helps  one  “fight 
through”  in  a  degraded  environment. 
Aligned  with  this  is  strengthening  defense 
by  protecting  infrastructure,  denying 
adversaries  the  ability  to  operate  within 
one’s  borders,  improving  the  ability 
to  defeat  attacks,  sharing  situational 
awareness,  and  improving  attribution. 
Some  authors  suggest  deception  serves 
as  a  deterrent  because  cyberspace  op¬ 
erations  have  the  ability  to  manipulate 
decisionmaking.  However,  deception 
is  not  a  deterrent;  it  is  an  intentional 
act  designed  to  gain  an  advantage  and 
inherently  serves  a  different  purpose  than 
deterrence.^® 

Barriers  to  Cyberspace 
Deterrence 

Cyberspace  characteristically  provides 
limitations  to  many  of  the  proposed 
cyberspace  deterrent  options.  The 
first  of  these  is  the  attribution  chal¬ 
lenge  compounded  by  the  speed  of  the 
domain.  In  2012,  then-Secretary  of 
Defense  Leon  Panetta  stated,  “Potential 
aggressors  should  be  aware  that  the 
U.S.  has  the  capacity  to  locate  them 
and  to  hold  them  accountable  for  their 
actions.”^’’  Nothing  could  be  further 
from  the  truth.  In  2007,  Estonia  was 
the  target  of  “large  and  sustained 
distributed  denial-of-service  attacks 
flooding  networks  or  websites  .  .  .  many 
of  which  came  from  Russia, but 
who  was  responsible?  Although  the 
attacks  appeared  to  come  from  network 
addresses  within  Russia,  it  was  never 
confirmed  whether  this  was  a  state - 
sponsored  or  nonstate  effort.  Some 
authors  argue  that  an  obvious  deterrent 
to  attacks,  espionage,  or  criminal  activ¬ 
ity  in  cyberspace  is  to  identify  publicly 
the  countries  where  these  efforts 
originated,  thereby  leading  others  to 
regard  that  nation  as  a  risky  place  to  do 
business.^®  Nations  could  also  pursue 
sanctions  against  those  harboring  these 
actors.^®'  Unfortunately,  many  countries, 
including  the  United  States,  do  not 
have  the  resources  or  the  legal  standing 
to  validate  the  identity  of  the  attackers 


or  to  take  actions  against  them.  The  dif¬ 
ficulty  of  attribution  is  also  a  significant 
challenge  to  a  cyberspace  response. 

Any  rapid  counterstrike  is  likely  to  hit 
the  wrong  target,  but  hesitation  could 
lead  to  increased  vulnerability  and 
exploitation. 

A  second  limitation  to  cyberspace 
deterrence  is  that  the  first-strike  advan¬ 
tage  cannot  be  deterred.  Sun  Tzu  wrote, 
“Know  the  enemy  and  know  yourself,”®" 
but  in  cyberspace,  many  vulnerabilities 
are  unknown.  In  2007,  both  American 
and  British  government  agencies  de¬ 
tected  a  series  of  attacks  codenamed 
“Titan  Rain.”®®  These  attacks,  report¬ 
edly  one  of  the  largest  scale  infiltrations 
known  at  the  time,  had  allegedly  been 
going  on  undetected  since  2002.®®  This 
is  only  one  example,  but  it  demonstrates 
how  the  complexities  of  the  domain 
make  it  impossible  to  be  aware  of  all 
vulnerabilities  or  to  monitor  all  systems. 
Existing  cyberspace  capabilities,  defenses, 
and  forces  (both  law  enforcement  and 
military)  also  fail  to  deter  opponents.  In 
2012,  Symantec,  a  cybersecurity  com¬ 
pany,  identified  a  58  percent  increase  in 
mobile  malware  and  over  74,000  new 
malicious  Web  domains.®®  Moreover, 
there  is  a  healthy  market  for  zero-day 
exploits  with  prices  ranging  from  $5,000 
to  $250,000.®^  In  a  related  study  on 
the  cost  of  cybercrime,  the  Ponemon 
Institute  found  a  42  percent  increase  in 
successful  cyber  attacks  on  companies 
in  2012 — a  number  that  continues  to 
move  upward,  although  this  trend  could 
be  attributed  to  businesses  being  more 
forthcoming  on  criminal  activity.®®  Both 
Symantec  and  McAfee  have  provided  es¬ 
timates  on  the  annual  cost  of  worldwide 
cybercrime  ranging  from  $110  billion  to 
$I  trillion,®"  though  determining  accu¬ 
rate  costs  is  difficult  as  many  companies 
do  not  want  to  report  incidents  due  to 
possible  business  repercussions,  and  oth¬ 
ers  may  not  be  aware  of  criminal  activity. 
Accordingly,  it  is  difficult  to  show  where 
deterrent  actions  deny  either  state  or 
nonstate  actors  benefits. 

Third,  there  is  a  risk  of  asymmetric 
vulnerability  to  attack  in  cyberspace — that 
is,  the  threat  that  the  use  of  a  capability 
could  backfire.  As  one  actor  develops 
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Workers  prepare  for  launch  of  third  Advanced  Extremely  High  Frequency  satellite,  a  Joint- 
Service  system  that  provides  survivable,  near  worldwide,  secure,  protected,  and  jam-resistant 
communications  for  high-priority  national  military  operations  (Courtesy  Lockheed  Martin) 


offensive  and  defensive  capabilities, 
other  actors  will  strive  to  improve  their 
offensive  and  defensive  skills  as  well. 

This  continuous  endeavor  could  push 
a  model  that  leads  to  a  cyber  “arms 
race.”^^  In  1998,  the  Central  Intelligence 
Agency  (CIA)  director  announced  the 
United  States  was  developing  computer 
programs  to  attack  the  infrastructure 


of  other  countries.^®  By  then,  the  U.S. 
Government  Accountability  Office  esti¬ 
mated  over  120  state  and  nonstate  actors 
had  or  were  developing  information  war¬ 
fare  systems.^’  Information  on  exploiting 
vulnerabilities  and  attacking  networks  is 
readily  available  on  the  Internet,'*®  and 
with  American  dependency  on  cyberspace 
being  greater  than  most,  the  United 


States  is  taking  a  risk  by  developing  ad¬ 
vanced  cyberspace  capabilities. 

Credibility  is  also  a  significant  issue  in 
cyberspace.  Credibility  is  dependent  on 
proof,  but  attacks  that  work  today  may 
not  work  tomorrow.  Even  though  the 
United  States  has  “pre-eminent  offensive 
cyberspace  capabilities,  it  obtains  little  or 
no  deterrent  effect”'**  from  them  for  two 
reasons.  First,  claiming  to  put  a  specific 
target  at  risk  from  a  cyber  attack  will 
likely  result  in  that  asset  receiving  addi¬ 
tional  protection  or  being  moved  offline 
and  placed  out  of  risk.^^  Second,  secrecy 
may  be  working  against  American  inter¬ 
ests.  General  James  Cartwright,  USMC, 
stated,  “You  can’t  have  something  that’s 
secret  be  a  deterrent.  Because  if  you 
don’t  know  it’s  there,  it  doesn’t  scare 
you.”^^  Once  introduced,  cyberspace 
weapons  become  public  property,  which 
quickly  renders  the  capability  useless.'*^ 
Stuxnet,  the  malware  that  destroyed 
centrifuges  in  Iranian  nuclear  facilities,  is 
a  perfect  example.  After  its  identification, 
responses  resulted  in  two  separate  reac¬ 
tions:  companies  patched  vulnerabilities 
in  their  software  exploited  by  Stuxnet, 
and  variants  of  the  malware  began  to 
appear.  Unlike  kinetic  weapons,  cyber 
weapons,  once  released,  can  be  analyzed, 
understood,  and  modified  by  other  ac¬ 
tors,  thereby  eliminating  the  deterrent 
element  of  the  cyberspace  capability. 

Credibility  is  also  dependent  on  ac¬ 
tion.  However,  the  United  States  has 
a  poor  track  record  of  responding  to 
cyberspace  incidents  due  to  delayed 
detection,  inability  of  attribution,  and 
limited,  if  any,  action'*®  as  the  boundar¬ 
ies  of  proportionality  are  still  evolving. 

In  2009,  then-Major  General  William 
Lord,  commander  of  the  Air  Force  Cyber 
Command  (Provisional),  noted,  “It’s  eas¬ 
ier  for  us  to  get  approval  to  do  a  kinetic 
strike  with  a  2,000-pound  bomb  than  it 
is  for  us  to  do  a  non-kinetic  cyber  activ¬ 
ity.”'*’’  Even  though  President  Obama, 
through  the  International  Strategy  for 
Cyberspace,  has  stated  the  United  States 
reserves  the  right  to  respond  to  hostile 
acts  in  cyberspace  with  any  instrument 
of  national  power,  and  the  Pentagon  has 
declared  that  a  computer  attack  from  a 
foreign  nation  could  be  considered  an 
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act  of  war,  both  have  left  unclear  what 
the  response  would  be.**^  The  U.S. 
Government,  its  citizens,  and  private 
organizations  are  on  the  receiving  end 
of  millions  of  cyber  intrusions  per  day, 
but  the  United  States  has  established  a 
precedent  of  limited  action  to  and  toler¬ 
ance  of  these  incidents.  The  2007  Estonia 
incident  also  depicts  one  aspect  of  this 
credibility  challenge.  As  a  result  of  the 
alleged  Russian  cyber  attacks,  Estonia  de¬ 
clared  its  security  threatened  and  sought 
support  from  the  North  Atlantic  Treaty 
Organization.'*®  However,  many  Alliance 
members,  including  the  United  States, 
did  not  share  this  perspective.  There  had 
been  no  physical  violence,  casualties,  or 
territorial  invasion,  and  Russia  did  not 
claim  responsibility  for  the  incidents. 
Tolerance  to  crime,  espionage,  and  other 
cyberspace  acts  has  established  a  high 
threshold  preventing  the  use  of  force  in 
domains  other  than  cyberspace  to  date. 

Lastly,  cyberspace  actors  have  a 
different  risk  tolerance  than  those  act¬ 
ing  in  a  physical  domain  due  to  their 
perceived  anonymity,  invulnerability, 
and  global  flexibility.  Neither  policy  nor 
legal  recourse  is  sufficient  to  deter  state 
or  nonstate  actors  from  their  objectives. 
For  example,  no  one  has  officially  claimed 
responsibility  for  the  development  and 
deployment  of  Stuxnet.  Additionally,  last 
year,  the  Federal  Bureau  of  Investigation 
published  a  Cyber  Most  Wanted  Ust.'*^ 
Although  there  are  Federal  arrest  war¬ 
rants  on  these  people,  it  is  likely  none  of 
them  are  in  the  country  or  committed 
their  crimes  while  in  it.  In  many  cases,  the 
actors’  goals  are  to  defy  authority  or  gain 
prestige.®”  Existing  guidance  is  neither 
credible  nor  enforceable  and  antiquated 
legal  procedures  have  not  kept  up  with 
technological  advances  to  meet  this  chal¬ 
lenge.  Then-commander  of  U.S.  Cyber 
Command,  General  Keith  Alexander, 
USA,  stated  in  2012,  “Last  year  we  saw 
new  prominence  for  cyber  activist  groups, 
like  Anonymous  and  Lulz  Security  that 
were  encouraging  hackers  to  work  in  uni¬ 
son  to  harass  selected  organizations  and 
individuals.”®*  Besides  being  insufficient 
to  deter  state  and  nonstate  actors,  U.S. 
or  international  cyberspace  policy  chal¬ 
lenges  American  interests.  Washington 


wants  to  maintain  freedom  of  action  in 
cyberspace,  which  includes  the  ability  to 
conduct  espionage  and  exploitation  for 
diplomatic  and  military  reasons.  Pursuing 
partnerships,  especially  in  the  interna¬ 
tional  commons,  challenges  this  desire. 

In  December  2012,  the  International 
Telecommunications  Union  revised 
governing  agreements  with  a  negotiated 
global  telecommunications  treaty.  On 
the  day  before  the  scheduled  signing,  the 
United  States  rejected  it  for  two  reasons: 
the  interrelationship  between  telecom¬ 
munications  and  the  Internet,®^  and  an 
expansion  of  the  United  Nations’  role  in 
Internet  governance.®®  Even  though  the 
agreement  would  not  have  been  legally 
binding,  the  United  States  believed 
the  former  reason  could  have  led  to 
restrictions  on  free  speech  and  the  latter 
would  drive  a  government-led  model  for 
Internet  oversight.  Instead,  the  United 
States  prefers  the  multi -stakeholder 
model  in  place  today  that  allows  for  gov¬ 
ernment,  commercial  entities,  academia, 
and  others  to  deliberate  and  establish 
Internet  standards.  If  Washington  is 
serious  about  international  partnerships 
in  cyberspace,  it  needs  to  find  a  way  to 
overcome  its  realist  angst  in  this  domain. 
The  iinpetus  to  maintain  cyberspace  free¬ 
dom  of  action  limits  the  option  to  hold 
a  nation  accountable  for  cyber  activities 
within  its  borders. 

These  barriers  to  deterrence  delineate 
problems  with  attribution,  signaling,  and 
credibility — all  characteristics  of  active 
deterrence.  Moreover,  the  technology 
and  architecture  of  the  cyberspace  do¬ 
main — the  complexity,  vuhterabiUty,  and 
attribution  problems — limit  the  success 
of  credible  response  options  for  deter¬ 
rence  as  well.  However,  even  though  the 
cyberspace  domain  is  not  100  percent 
defensible,  latent  deterrence  options 
through  cyber  defense  do  provide  a  viable 
option  for  use  in  cyberspace. 

Recommendations 

Successful  cyberspace  deterrence  needs 
to  be  a  whole-of-government  effort 
to  defend  the  military,  the  public 
and  private  sectors,  and  international 
partners  and  allies.  Based  on  the 
assessment  presented,  feasible  options 


for  cyberspace  deterrence  comprise 
strengthening  defense  to  include  secur¬ 
ing  cyberspace  and  increasing  resiliency, 
pursuing  partnerships,  and  advancing 
policy  and  legislative  solutions.  Today, 
these  options  are  restricted  to  the  realm 
of  latent  deterrents.  Further  research, 
however,  may  yield  opportunities  that 
eliminate  the  attribution,  signaling,  and 
credibility  restrictions  of  the  cyberspace 
domain. 

To  support  defensive  actions,  private 
and  public  organizations  need  to  identify 
critical  assets  and  build  up  resiliency  of 
those  systems  including  ensuring  non¬ 
homogeneity  in  systems  technology. 

For  example,  rather  than  standardizing 
software  and  hardware  across  a  network, 
organizations  should  install  different 
operating  systems  for  key  backup  systems. 
Unfortunately,  recent  efforts  are  headed 
the  other  way.  DOD  is  developing  a 
single  integrated  network  with  an  expec¬ 
tation  that  it  will  be  more  cost  effective 
and  can  be  more  easily  defended.  Instead, 
this  centralizes  vuhterabiUties  and  makes 
it  easier  for  adversaries  to  exploit.  For 
instance,  the  Air  Force’s  unclassified 
network  desktop  and  server  solution  is 
built  around  the  Microsoft  Windows 
operating  system,  but  this  operating 
system  has  thousands  of  known  (and 
unknown)  vulnerabilities.  The  unclassi¬ 
fied  network  routers  are  a  standardized 
Cisco  product,  yet  Cisco  has  identified 
and  published  560  security  advisories  for 
its  systems.®'*  As  a  result  of  identifying  a 
new  vulnerability  in  either  the  Microsoft 
or  Cisco  systems,  a  cyber  actor  can  ex¬ 
ploit  or  attack  all  areas  of  the  network 
dependent  on  those  products.  On  the 
other  hand,  this  actor  would  be  unable  to 
affect  the  F-22’s  Integrated  Management 
Information  System  directly  as  it  runs  on 
a  different  operating  system. 

In  addition,  the  military  needs  to 
defend  priority  systems  and  expand  the 
forces  available  to  conduct  mission  as¬ 
surance.  Mission  assurance  is  the  ability 
to  ensure  a  mission  is  successfully  ac¬ 
complished  even  when  under  attack  or 
in  a  reduced  operating  environment. 
Although  all  military  systems  depend  on 
cyberspace,  not  all  systems  have  equal 
priority.  Further  efforts  should  be  made 
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to  exercise  with  degraded  cyberspace 
capabilities  to  identify  critical  priorities 
and  determine  the  necessary  forces  and 
resources  for  defense.  However,  this 
is  not  just  a  military  issue.  The  critical 
infrastructure  of  the  United  States  is  also 
at  risk.  In  coordination  with  DOD  and 
the  Department  of  Homeland  Security, 
the  National  Guard  conducts  mission 
assurance  assessments  for  critical  defense 
industrial  base  and  prioritized  critical 
infrastructure  and  key  resource  assets.®® 
Increased  growth  in  this  program  would 
expand  the  available  defenses  and  re¬ 
siliency  for  the  Nation  and  increase  its 
latent  deterrent  capabilities. 

To  further  strengthen  defenses,  the 
U.S.  Government  should  incentivize  the 
public  and  private  sectors  to  take  steps 
that  will  compel  them  to  assure  others 
they  have  not  been  maliciously  compro¬ 
mised.  Unlike  the  pursuit  of  regulatory 
solutions,  incentives  would  drive  an 
increase  in  cybersecurity.  For  example, 
U.S.  Transportation  Command  has 
modified  contracting  language  to  require 
companies  to  provide  information  assur¬ 
ance  data  and  report  compromises.®®  In 
return,  the  command  shares  information 
with  contractors  to  enhance  their  cyber¬ 
security.  This  effort  could  be  enhanced 
by  linking  contracting  bonuses  or  profit 
opportunities  to  specific  cybersecurity 
postures.  The  U.S.  Government,  on  the 
other  hand,  could  establish  guidelines  to 
provide  tax  breaks  or  subsidies  for  com¬ 
pliance  with  certain  standards. 

In  the  pursuit  of  partnerships, 
Washington  should  engage  internation¬ 
ally  to  establish  cyberspace  norms.  Lack 
of  norms  has  led  to  a  substantial  gray 
area  exploited  by  state  and  nonstate  ac¬ 
tors  alike.  In  2011,  China,  Russia,  and 
others  submitted  an  International  Code 
of  Conduct  for  Information  Security  to 
the  United  Nations  as  a  possible  start¬ 
ing  point  for  the  development  of  these 
norms. ®^  The  United  Kingdom  has  also 
hosted  two  international  conferences  on 
the  subject.®®  However,  different  nations 
have  different  priorities  and  interests 
in  the  pursuit  of  the  normalization  of 
cyberspace.  The  United  States  seeks  to 
ensure  freedom  of  access  while  enhancing 
the  security  of  networks.  Other  countries. 


such  as  Russia  and  China,  focus  on  the 
risk  of  freedom  of  access  to  their  political 
stability.  One  recommendation  would 
engage  the  United  States  with  those 
countries,  whether  they  are  allies,  part¬ 
ners,  or  friends,  who  have  similar  interests 
to  address  these  issues  from  a  common 
platform.  Although  a  broad  agreement 
may  not  be  possible  at  this  time,  steps  are 
needed  toward  improving  overall  security 
in  the  cyberspace  environment. 

Another  area  to  improve  is  advanc¬ 
ing  policy  and  legal  options.  Legislation 
lags  behind  the  speed  of  innovation  in 
cyberspace.  The  development  of  warfare 
and  corresponding  law  for  other  domains 
has  been  refined  over  decades,  as  in  the 
case  of  air  and  space,  or  centuries.  In  cy¬ 
berspace,  technological  progress  has  been 
exponential,  but  corresponding  domestic 
and  international  law  is  decades  behind 
schedule.  This  status  quo  hinders  the 
pursuit  and  prosecution  of  criminal  actors 
due  to  the  global  nature  of  cyberspace. 
The  U.S.  Government  needs  to  assign 
greater  resources  to  address  this  problem 
today.  Policy  can  also  support  deterrence 
goals,  but  it  needs  to  be  clearly  stated, 
credible,  and  consistent. 

Lastly,  the  U.S.  Government  and 
DOD  should  advocate  for  greater 
research  and  development  to  increase 
attribution  and  systems  security  and  to 
support  an  evolution  of  the  cyberspace 
domain  toward  a  more  secure  and  robust 
environment.  For  example,  improve¬ 
ment  in  identity  management  has  shown 
significant  results  in  deterring  attacks. 
Implementation  of  the  DOD  Common 
Access  Card  reduced  intrusions  into 
military  networks  by  over  50  percent.®*’ 
Ultimately,  cyberspace  attacks  are  possible 
only  because  networks  and  systems  have 
flaws.®®  If  the  United  States  can  eliminate 
those  flaws,  additional  cyberspace  deter¬ 
rent  options  may  become  available. 

Conclusion 

In  1982,  an  American  satellite  detected 
a  large  blast  in  Siberia  that  turned  out 
to  be  an  explosion  of  a  Soviet  gas  pipe¬ 
line.®'  This  explosion,  which  was  the 
result  of  a  deliberate  action  by  the  CIA 
to  tamper  with  the  software  in  the  com¬ 
puter  control  system,  represented  the 


first  cyber  attack  of  its  kind  in  history. 
This  attack  demonstrated  the  use  of  a 
weapon  that  ignored  physical  defenses 
and  deterrent  threats  and  showed  “the 
U.S.  was  willing  to  use  malware  against 
a  hostile,  nuclear- armed  superpower 
without  concern  of  attribution  or  threat 
of  retaliation.”®^  If  the  United  States  is 
not  deterred,  how  can  it  ensure  others 
would  be? 

Deterrence  through  cyberspace  by 
means  o/cyberspace  is  limited  due  to  its 
inherent  character  and  purpose.  The  ano¬ 
nymity,  global  reach,  scattered  nature,  and 
interconnectedness  of  the  domain  reduce 
the  effectiveness  of  deterrence  and  can 
render  it  useless.®®  In  this  environment, 
developing  deterrents  or  a  deterrent 
strategy  against  state  or  nonstate  actors 
does  have  some  utility.  Even  though  the 
man-made  nature  of  the  domain  hinders 
the  attribution,  signaling,  and  credibility 
required  for  active  deterrence,  all  cyber 
actors  do  want  to  accomplish  something, 
and  defensive  deterrence  is  more  effective 
in  cyberspace  than  attempting  to  impose 
costs.®''  Defensive  deterrence,  however,  is 
a  whole-of-government,  whole-of-nafion 
effort.  The  U.S.  military  is  focused  on 
defending  its  own  networks,  but  there  is 
a  lack  of  effort  to  defend  the  national  in¬ 
frastructure.  Through  understanding  the 
limits  of  cyberspace  deterrence,  strategists, 
policymakers,  and  planners  can  advance 
policy  and  doctrine  that  will  rise  to  the 
challenges  presented  in  this  warfighting 
domain.  Nevertheless,  additional  research 
may  one  day  overcome  these  limits  to 
cyberspace  deterrence.  JFQ 
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